Publication Date – January 14, 2020
When classifying observations as Malware Servers events, we use blacklists and file hashes.
- Safe browsing and blacklists are publicly used by security organizations to identify network points that are distributing files. Brand monitoring services continuously observe new domains or online activity on behalf of their clients and report such activities to search engines.
- File hashes become known and traceable to a specific malware family.
Examples
Malware servers can host different types of exploits, including:
- Fake Antivirus Software: The malware pretends to detect threats on the machine, and claims that it can only be removed by buying the software. The threats are often fake and intended only to scare the user into purchasing the software, which does not actually protect the user’s device.
- Drive-by Downloads: These will often hide in popup windows or dialog boxes, to be downloaded without the user’s consent.
- Phishing Websites: Tricks the user into giving information, by presenting itself as a trusted service. For example, a phishing site might have a URL that’s similar to a legitimate banking website. It then prompts the user for their account information and credentials.